nftables-1.0.4-7.el8

* Fri Nov 29 2024 Phil Sutter <psutter@redhat.com> [1.0.4-7.el8] - xt: Fix translation error path (Phil Sutter) [RHEL-5806] Resolves: RHEL-5806
2024-11-29 12:06:32 +01:00 · 2024-11-29 12:06:32 +01:00 · ca551b3c26
commit ca551b3c26
parent 810f4662e9
2 changed files with 75 additions and 1 deletions
--- a/0042-xt-Fix-translation-error-path.patch
+++ b/0042-xt-Fix-translation-error-path.patch
@ -0,0 +1,70 @@
+From 5e5919ad698c6edfd0c1bbbd47d97309c0cb7a83 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 29 Nov 2024 12:01:39 +0100
+Subject: [PATCH] xt: Fix translation error path
+
+JIRA: https://issues.redhat.com/browse/RHEL-5806
+Upstream Status: nftables commit ce3d71348ee77d2d7ffa6a825afbc7471e92bc89
+
+commit ce3d71348ee77d2d7ffa6a825afbc7471e92bc89
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Mar 28 13:46:10 2023 +0200
+
+    xt: Fix translation error path
+
+    If xtables support was compiled in but the required libxtables DSO is
+    not found, nft prints an error message and leaks memory:
+
+    | counter packets 0 bytes 0 XT target MASQUERADE not found
+
+    This is not as bad as it seems, the output combines stdout and stderr.
+    Dropping stderr produces an incomplete ruleset listing, though. While
+    this seemingly inline output can't easily be avoided, fix a few things:
+
+    * Respect octx->error_fp, libnftables might have been configured to
+      redirect stderr somewhere else.
+    * Align error message formatting with others.
+    * Don't return immediately, but free allocated memory and fall back to
+      printing the expression in "untranslated" form.
+
+    Fixes: 5c30feeee5cfe ("xt: Delay libxtables access until translation")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/xt.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/xt.c b/src/xt.c
+index 31cf40e..6d5866d 100644
+--- a/src/xt.c
+++ b/src/xt.c
+@@ -56,9 +56,10 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx)
+ 	case NFT_XT_MATCH:
+ 		mt = xtables_find_match(stmt->xt.name, XTF_TRY_LOAD, NULL);
+ 		if (!mt) {
+-			fprintf(stderr, "XT match %s not found\n",
+			fprintf(octx->error_fp,
+				"# Warning: XT match %s not found\n",
+ 				stmt->xt.name);
+-			return;
+			break;
+ 		}
+ 		size = XT_ALIGN(sizeof(*m)) + stmt->xt.infolen;
+ 
+@@ -83,9 +84,10 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx)
+ 	case NFT_XT_TARGET:
+ 		tg = xtables_find_target(stmt->xt.name, XTF_TRY_LOAD);
+ 		if (!tg) {
+-			fprintf(stderr, "XT target %s not found\n",
+			fprintf(octx->error_fp,
+				"# Warning: XT target %s not found\n",
+ 				stmt->xt.name);
+-			return;
+			break;
+ 		}
+ 		size = XT_ALIGN(sizeof(*t)) + stmt->xt.infolen;
+ 
+-- 
+2.46.2
+
--- a/nftables.spec
+++ b/nftables.spec
@ -1,5 +1,5 @@
 %define nft_rpmversion 1.0.4
-%define nft_specrelease 6
+%define nft_specrelease 7
 %define libnftnl_ver 1.2.2-1

 Name:           nftables
@ -62,6 +62,7 @@ Patch38:            0038-xt-Rewrite-unsupported-compat-expression-dumping.patch
 Patch39:            0039-xt-Fall-back-to-generic-printing-from-translation.patch
 Patch40:            0040-xt-Fix-fallback-printing-for-extensions-matching-key.patch
 Patch41:            0041-evaluate-un-break-rule-insert-with-intervals.patch
+Patch42:            0042-xt-Fix-translation-error-path.patch

 BuildRequires: autoconf
 BuildRequires: automake
@ -181,6 +182,9 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
 %{python3_sitelib}/nftables/

 %changelog
+* Fri Nov 29 2024 Phil Sutter <psutter@redhat.com> [1.0.4-7.el8]
+- xt: Fix translation error path (Phil Sutter) [RHEL-5806]
+
 * Tue Oct 29 2024 Phil Sutter <psutter@redhat.com> [1.0.4-6.el8]
 - evaluate: un-break rule insert with intervals (Phil Sutter) [RHEL-62895]